Firewall best practices to block ransomware - Sophos
Article by Sophos global solutions engineer Aaron Bugal
Today, getting ‘pwned’ is the rule, rather than the exception.
Organisations that have managed to avoid being breached or cyber-attacks are few and far between, with no industry or individual immune.
According to the latest Notifiable Data Breaches Quarterly Statistics Report, more than 290 breaches have been reported by Australian organisations, and 64% of breaches were a result of malicious or criminal attacks.
Cyber-attacks, while not inevitable, are highly probable – with Sophos research revealing that more than two-thirds (69%) of Australian organisations were hit by a cyber-attack in the last year.
The reason – companies can’t see what’s happening on their endpoint devices, leaving them struggling to prevent attacks or even knowing how and when they happened.
At the same time, the threat landscape is constantly evolving, and attackers are getting smarter, meaning organisations are spending longer securing their networks and their data. On average, organisations spend four days a month investigating potential security issues, and roughly 10 hours to detect significant threats.
With the most common threats continuing to include ransomware, time literally means money.
It’s therefore critical that organisations take a proactive approach to cybersecurity – from deploying the right tools and skills, to having support from management to invest and train staff.
When looking specifically at ransomware, a good place to start is an anti-ransomware tool, while also making use of best practices in general to stay safe.
Here are six firewall best practices to block ransomware in an organisation.
- Ensure the right protection is in place. From high-performance next-gen firewall IPS engine to sandboxing, to encryption and backup, organisations need to put the right tools in place to take a proactive approach to cybersecurity.
- Reduce the surface area of attacks. Review all port-forwarding rules to eliminate any non-essential open ports. Every open port represents a potential opening in the network. Where possible, use VPN to access resources on the internal network from outside rather than port-forwarding. In addition, make sure open ports are secured by applying suitable IPS protection to the rules governing that traffic.
- Apply sandboxing to web and email traffic to ensure all suspicious active files coming in through web downloads and as email attachments, are being suitably analysed for malicious behaviour before they get onto the network. As part of this, disable macros in document attachments received via email, which will stop a large number of infections in their tracks.
- Minimise the risk of lateral movement within the network by segmenting LANs into smaller, isolated zones or VLANs that are secured and connected together by the firewall. Be sure to apply suitable IPS policies to rules governing the traffic traversing these LAN segments to prevent exploits, worms, and bots from spreading between LAN segments. In addition, don’t enable more login power than the user needs, this will reduce risk immediately.
- Automatically isolate infected systems. When an organisation encounters a cyber-attack, it’s important that its IT security solution is able to quickly identify compromised systems and automatically isolate them until they can be cleaned up (either automatically or through manual intervention).
- Stay up-to-date. Malware that doesn’t come in via a document often relies on security bugs in popular applications, including Microsoft Office, internet browsers, Flash, and more. If an organisation stays up-to-date on patching, it’ll be far less vulnerable to potential exploits.